b"                      Review of the Department=s\n           Requirements Definition & Testing Processes for the\n            Loan Origination and Loan Consolidation Systems\n\n\n\n\n                                   FINAL AUDIT REPORT\n\n\n\n\n                                    Audit Control Number 11-70010\n                                             March 1999\n\n\n\n\nOur mission is to promote the efficient                             U.S. Department of Education\nand effective use of taxpayer dollars                                Office of Inspector General\nin support of American education                                    Washington D.C. Field Office\n\x0c                              NOTICE\n Statements that management practices need improvement, as well as other\nconclusions and recommendations in this report, represent the opinions of the\n Office of Inspector General. Determination of corrective action to be taken\n will be made by appropriate Department of Education officials. This report\n    may be released to members of the press and general public under the\n                        Freedom of Information Act.\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                                Final Report                                      ACN 11-70010\n\n\n\n\n                                TABLE OF CONTENTS\n\nTABLE OF CONTENTS\n\nEXECUTIVE SUMMARY.............................................................................................................1\n\nINTRODUCTION ..........................................................................................................................6\n     Background.........................................................................................................................6\n     Objectives, Scope and Methodology ....................................................................................7\n     Statement on Management Controls ....................................................................................7\n\n\nAUDIT RESULTS..........................................................................................................................8\n     System Requirements for the Loan Origination and Loan Consolidation Systems\n      Were Not Adequately Defined ...........................................................................................8\n\n          System Specifications and Documentation Provided to EDS\n          Were Incomplete and Outdated......................................................................................... 12\n\n          Test Scenarios and Test Cases Did Not Ensure That the Loan Origination\n          and Loan Consolidation Systems Met the Required Functionality...................................... 14\n\n          Overall Documentation Supporting the Loan Origination\n          and Loan Consolidation System Testing Was Poorly Maintained....................................... 17\n\n          System Generated Management Information Reports\n          Were Not Reviewed or Tested ......................................................................................... 21\n\n          Loan Origination System Interfaces Were Not Adequately Tested\n          Prior to System Implementation........................................................................................ 22\n\nAPPENDICES\n     Appendix 1- Acronyms\n     Appendix 2- Department Reply to Draft Report\n     Appendix 3- OIG Response to Department Cover Letter Comments\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                          ACN 11-70010\n\n\n\n\n                             EXECUTIVE SUMMARY\nRequirements definition is one of several phases of the development of a system. It is the articulation\nof required functional and data management capabilities at a very detailed level. These requirements\nserve as the basis for the detailed system design. The subsequently designed system is then tested to\nconfirm that it actually meets the defined requirements.\n\nLate in Fiscal Year 1995, the Department awarded a contract to Electronic Data Systems (EDS) to\ndesign and implement a loan origination subsystem that would include both loan origination and loan\nconsolidation processes. This system had previously been under contract to Computer Data Systems,\nInc. (CDSI). [CDSI has recently been acquired by Affiliated Computer Services, Inc. (ACS). For\nclarity in this report, we will continue to refer to the incumbent contractor as CDSI.] The EDS contract\ncalled for an original system start-up date of January 15, 1996. However, EDS did not begin operation\nof the loan consolidation system (LCS) or loan origination system (LOS) until September 1996 and\nMarch 1997, respectively.\n\nBecause of the difficulties associated with the development and start-up of these systems, the Office of\nInspector General proceeded with plans to audit the processes associated with the Department=s\nrequirements definition and testing of the EDS developed systems. Specifically, our objectives were to\ndetermine whether the Department adequately defined its system requirements for the EDS LOS/LCS\ncontract and whether these requirements were adequately tested prior to system start-up. Overall, our\naudit work revealed that LOS and LCS requirements were not adequately defined for EDS by the\nDepartment, and the system testing that took place prior to start-up was inadequate. These deficiencies\nsubsequently contributed to system implementation delays, significant increases in contract costs and\nnegative publicity to the Department.\n\nThe Request for Proposal (RFP) issued by the Department required Athe development or conversion and\noperation of a subsystem to originate Federal Direct Student Loans, together with all services, hardware,\nsoftware and personnel necessary to operate the subsystem and originate loans effectively.@ The RFP\nstated that the software from the current system, operated by CDSI, would be provided to the successful\nbidder, for conversion or for use in the development of new software. The RFP also indicated that a\nsufficient amount of technical documentation was available and would be provided following contract\naward, to facilitate system development. Based upon the information presented, EDS proposed to\nconvert the LOS and LCS to a new hardware and software environment.\n\nHowever, some Department officials were aware that the previous loan origination contractor had built\nits system using proprietary software. In addition, CDSI had developed the LCS using commercial\ncopyrighted software that required a significant amount of manual support. Actual available system\nspecifications and documentation proved to be inaccurate and outdated. Therefore, EDS was unable\nto convert the source code from CDSI and was ultimately required to develop the systems from scratch.\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                 Final Report                         ACN 11-70010\n\n\n\nAlso, system test cases and scenarios did not provide assurance that processing requirements of the\nsystem would be met. Testing documentation did not provide sufficient evidence that all test procedures\nwere successfully completed. Furthermore, system generated management information reports were\nnot tested, parallel processing was not performed, and there was only limited stress testing of the\nsystems.\n\nWe acknowledge the Department=s current efforts to move towards a more Aperformance-based@ or\nAoutcomes-oriented@ approach to system procurement. We support the use of performance-based\ncontracting that will define Awhat@ the system needs to do as opposed to Ahow@ it needs to do it.\nHowever, functional requirements must still be defined in a manner that will adequately communicate\nthe intended outcomes of the system. If not fully defined in the Statement of Work (SOW), then the\nDepartment must ensure that functional requirements are clearly communicated and understood by the\nselected contractor after award, throughout the development of the system. The results of our audit\nwork indicate that requirements for the LOS/LCS were not adequately communicated under either\nmethodology.\n\nDetailed in the body of this report are findings specific to the LOS/LCS implementation. However, we\nbelieve that our recommendations can be used to improve the Department=s systems development and\nimplementation processes overall. Therefore, on the following page we have included a presentation\nof general control weaknesses noted, along with suggestions consisting of ways the Department can\nstrengthen these processes for use in future system development efforts, to avoid the difficulties and\ndelays encountered with the LOS/LCS.\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                             Final Report                                ACN 11-70010\n\n\n\n\n   To improve                    We recommend that the Chief Operating Officer for the Office of\n   controls over...              Student Financial Assistance Programs (OSFAP)...\n\n   Definition of system          & Establish procedures and controls to ensure the requirements definition process\n   requirements...                 is a collaborative process, with the appropriate functional offices having primary\n                                   responsibility for defining and approving business/functional requirements;\n                                 & Establish procedures and controls to ensure that PSS has primary responsibility\n                                   for ensuring the feasibility of offerors= proposed technical solutions, including their\n                                   alignment with Department-wide systems architecture and information technology\n                                   (IT) strategic plans; and\n                                 & Engage industry consultants, when necessary, to participate in the above noted\n                                   processes.\n\n\n   Providing accurate            & Improve procedures for evaluating contract deliverables, particularly in the area\n   and up to date                  of system design documents and specifications, to ensure that documentation is\n   system specifications           prepared at a sufficient level of detail and that all required functionality is\n   and documentation               documented prior to production implementation, or at least by system transition; and\n   to contractors...             & Provide detailed program information from the responsible program office when\n                                   contractors are selected for development efforts, to ensure that the contractor has a\n                                   solid understanding of the functional requirements necessary to meet the needs of the\n                                   Department users.\n\n\n   Preparation of test           & Ensure that test cases are prepared/reviewed by individuals with strong knowledge\n   scenarios and test              of the business functions the application is intended to support;\n   cases...                      & Ensure that there is a process in place to tie test cases to system requirements;\n                                   and\n                                 & Ensure conversion testing includes validation of data accuracy.\n\n\n   Supporting                    & Establish testing guidelines at a high level for all Office of Student Financial\n   documentation for               Assistance Program systems; and\n   system testing...             & Establish controls which require the contractor to record error resolutions in an\n                                   automated tracking system to be used as a reference tool.\n\n\n   System production of          & Develop test cases that include validating application generated reports based on\n   usable management               test data during Systems Integration Testing (SIT);\n   information                   & Ensure that Systems Acceptance Testing (SAT) includes the generation,\n   reports...                      validation, and acceptance of management reports by the intended users of the\n                                   reports prior to system implementation; and\n                                 & Ensure reports are produced during stress testing with production volumes of\n                                   data.\n\n\n   System interface              & Process production volumes of data through all applications during stress testing,\n   testing\xe2\x80\xa6                        prior to system implementation in the production environment;\n                                 & Establish guidelines for certifying applications to exchange data;\n                                 & Create a data dictionary for OSFAP which identifies standard data formats and\n                                   validation criteria for all Student Financial Aid systems.\n\n\n                                                                3\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                   Final Report                           ACN 11-70010\n\n\n\n\nDepartment's Reply\nOn February 18, 1999, the Department provided a written response to our draft report. The\nDepartment agreed that improvements can be made in writing requests for proposals and that\ndocumentation and testing can always be improved. The Department also agreed with all of our\nrecommendations and has stated they are in the process of being or have already been implemented.\n\nHowever, the Department does not agree that system requirements were inadequately defined and that\nsupporting documentation for testing was inadequate, although it is agreed that documentation was not\nmaintained as well as it should have been. In addition, the significance of the report findings at this late\ndate- four years after the request for proposal- is questioned.\n\nThe Department believes the report focuses narrowly on areas involving Department management\nand ignores problems with contractor project management. Concern is expressed over the fact that\nthe draft report does not provide the reader with information on corrective or proactive measures\nthat the Department undertook to correct problems with its contractor, including the Department\xe2\x80\x99s\nacceptance of oversight responsibility when the contractor was unable to process an unexpected\nnumber of loan consolidation requests by students, as well as contract modifications that included\nperformance measures that ensure improved product quality and services. Concern was expressed\nthat this final report would not reflect the revisions believed necessary to provide a balanced\nassessment of the Department\xe2\x80\x99s LO/LC systems conversion effort.\n\nOIG Response\nWe have carefully considered the Department\xe2\x80\x99s comments to the report. We acknowledge and\nappreciate the Department\xe2\x80\x99s actions on several of our recommendations. Appropriate changes have\nbeen made where necessary, however, this final report remains substantially unchanged from the draft\nversion.\nAs we noted in our draft report, our findings are specific to the LOS/LCS implementation. However,\nour recommendations are geared towards general controls that need to be improved or implemented for\nuse in future system development efforts, to avoid the difficulties and delays encountered with the\nLOS/LCS. While the Department notes that some of our recommendations have already been\nimplemented, we are concerned that the responses/actions are specific to this particular contract/system.\nThe Department must ensure that these recommendations are implemented at an organizational level,\nwith appropriate management controls and policies and procedures in place to prevent the reoccurrence\nof these issues on future system development efforts.\n\nOur audit scope and objectives were clearly stated to focus on the Department\xe2\x80\x99s requirements definition\nand testing processes, not the contractor\xe2\x80\x99s. Additional audit efforts are looking at other aspects of this\nparticular contract and will present information on other contributing factors to problems encountered,\nas noted on page 8 of this report. However, while we acknowledge that it was not unreasonable for the\nDepartment to expect certain actions by their contractor, the Department is the system owner and in the\nend is ultimately responsible for ensuring the adequacy of its contractors\xe2\x80\x99performance. In this regard,\n\n                                                      4\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                            ACN 11-70010\n\n\nthe Department has the responsibility to provide the contractor any and all relevant information in its\npossession or under its control that is needed to properly develop the system. The Department must\ntake steps to ensure that its internal controls are sufficient to mitigate problems created by contractors.\n\nWe previously included and acknowledged in our draft report actions taken to improve processes\napplicable to our audit scope, such as is noted with regard to testing processes/practices under\nFindings # 3 & 4. While we acknowledge the Department\xe2\x80\x99s corrective measures cited, they are not\npertinent to the scope of our audit. Our objectives focused solely on the Department\xe2\x80\x99s processes for\ndefining system requirements and system testing. The measures cited by the Department do not\naddress actions that would improve upon these processes. Had the Department had adequate\nmeasures in place to define requirements and test the systems, there most likely would not have been\na need for the cited corrective actions subsequent to system implementation. The specific\nimprovements/measures cited by the Department in their response may be cited through other\napplicable audit work currently being performed under Audit Control Number 04-80008: \xe2\x80\x9cReview\nof the Department\xe2\x80\x99s Post Award Administration of the EDS Contract\xe2\x80\x9d.\nThis report includes, after each finding, a summary of the Department\xe2\x80\x99s comments. We have addressed\nareas where we disagree with the comments. A copy of the complete text of the response is contained\nin Appendix 2. An OIG response to the Department\xe2\x80\x99s cover letter that accompanied the comments to\nthe report findings is contained in Appendix 3.\n\n\n\n\n                                                     5\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                 Final Report                          ACN 11-70010\n\n\n\n\n                                          INTRODUCTION\nBackground\n\nUnder the Direct Loan Program, the Federal Government provides loan capital directly to student and\nparent borrowers rather than through private lenders. Participating schools, acting on behalf of the\ngovernment, deliver funds directly to eligible student and parent borrowers. The Department contracts\nwith the private sector to provide origination, servicing and accounting systems and to perform related\nservices.\n\nThe contractor for the Loan Origination Center (LOC) is responsible for Direct Lending activities up\nto loan repayment. These activities include promissory note and loan origination processing, estimation\nand drawdown, disbursement and loan changes. The LOC also processes requests for Direct\nConsolidation Loans. Through consolidation, borrowers may combine various types of federal education\nloans, including Direct Loans and loans made through the Federal Family Education Loan (FFEL)\nProgram. Consolidation may extend a borrower=s repayment period, provide an interest rate break in\nsome cases, and eliminate dealing with multiple lenders.\n\nThe former LOC contractor, Computer Data Systems, Inc (CDSI), [recently acquired by Affiliated\nComputer Services, Inc.], had performed all loan origination functions as well as all loan servicing\nactivities for the Direct Loan program since program inception. In order to separate Direct Loan\nfunctions and to take advantage of the competitive bid process, the Department issued a Request for\nProposal (RFP) for a new LOC contractor. The contract was subsequently awarded to Electronic Data\nSystems (EDS) late in Fiscal Year 1995.\n\nThe EDS contract called for an original start-up date of January 15, 1996 for the combined loan\norigination subsystem, which included both loan origination and loan consolidation processes. This date\nwas eventually extended to May 1996. After EDS was unable to meet the extended start-up date, the\ndevelopment effort for each process was split, with separate development schedules established for each.\n The Department continued to use the systems operated by CDSI until EDS was able to implement its\nloan consolidation and loan origination systems (LCS/LOS). EDS began operation of the LCS in\nSeptember 1996 and the LOS in March 1997.\n\nBecause of the difficulties associated with the development and start-up of these systems, the Office of\nInspector General proceeded with plans to audit the processes associated with the Department=s\nrequirements definition and testing of the EDS developed systems.\n\n\n\n\nObjectives, Scope and Methodology\n\n\n\n                                                    6\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                    Final Report                          ACN 11-70010\n\n\nThe objectives of our audit were to:\n\n          (1) Determine whether the Department adequately defined its system requirements for the EDS\n          LOS/LCS contract; and\n\n          (2) Determine whether requirements were adequately tested prior to system start-up.\n\nTo accomplish our objectives, we reviewed all test files for Systems Integration Testing (SIT), Systems\nAcceptance Testing (SAT), and First Live Batch Testing associated with each system. We assessed the\nadequacy of the test case scenarios, test case sign-off sheets and issue resolution process, as well as the\ndocumentation supporting the test results. We interviewed a total of 34 Department, EDS and\nIndependent Quality Control Unit (IQCU) officials and staff involved with the requirements definition\nand/or testing processes for the systems. We also reviewed relevant contract documentation, including\nthe RFP, EDS Technical Proposal and any modifications and Task Orders associated with the contract.\n\nOur audit covered the period beginning with LOS/LCS RFP development through systems= start-up.\nFieldwork was performed at the EDS Ballston, Virginia office and applicable Department of Education\noffices between September 1997 and March 1998. We met with Department officials in August and\nSeptember 1998 to discuss the results of our audit. Our audit was performed in accordance with\ngovernment auditing standards appropriate to the scope of the review described above.\n\nStatement on Management Controls\n\nAs part of our audit, we assessed the management controls applicable to the Department=s systems\nrequirements definition and testing processes, including policies, procedures and practices applicable\nto the scope of the audit. Our assessment was performed to determine the level of control risk for\ndetermining the nature, extent and timing of our substantive tests to accomplish the audit objectives.\n\nFor the purpose of this report, we assessed and classified the significant controls into the following\ncategories:\n\n          ---       system requirements definition;\n          ---       system testing\n\nBecause of inherent limitations, a study and evaluation made for the limited purposes described above\nwould not necessarily disclose all material weaknesses in the above areas. However, we identified\nweaknesses and recommended improvements for future system development and testing efforts. These\nweaknesses are discussed in the Audit Results section of this report.\n\n\n\n\n                                                       7\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                           Final Report                                 ACN 11-70010\n\n\n\n\n                                          AUDIT RESULTS\nThe following is a presentation of our findings noted as a result of our audit work, accompanied by\napplicable recommendations. Overall, our audit work revealed that LOS/LCS system requirements were\nnot adequately defined by the Department in the RFP and the system testing that took place prior to\nstart-up was inadequate. These weaknesses subsequently contributed to a number of problems,\nincluding:\n\n<         delays in implementing the EDS developed systems;\n\n<         significant increases in contract costs to successfully implement the systems;\n\n<         the eventual shutdown of the Loan Consolidation system due to the inability to timely\n          and adequately process consolidation requests;\n\n<         Congressional hearings on the deficiencies of the EDS Loan Consolidation system; and\n\n<         the creation of a negative image of the Department=s ability to manage an effective Direct Loan\n          Program by the student aid community and borrowers.\n\n[Additional contributing factors to the problems noted above will be addressed through audit work being completed under Audit\nControl Number 04-80008: AReview of the Department=s Post-Award Administration of the EDS Contract@]\n\nDetailed in the body of this report are findings specific to the LOS/LCS implementation. However, we\nbelieve that the recommendations presented can be used to improve the Department=s future systems\ndevelopment and implementation processes overall, and thereby avoid the difficulties and delays\nencountered here.\n\n\nFinding No. 1                  System Requirements for the Loan Origination and Loan\n                               Consolidation Systems Were Not Adequately Defined\n\nLoan Origination\n\nThe functionality of the LOS, originally developed by CDSI, was not adequately defined in the RFP\nissued by the Department. As noted in the Department=s System Life Cycle Management Manual,\nrequirements definition is one of several phases in the development of a system. It is during this phase\nthat required data and data processing capabilities are defined in detail, and a detailed data dictionary\ncapturing the data requirements is created. The requirements definition phase provides the detailed\ninformation needed for the design of the system.\nWe acknowledge the Department=s awareness that the approach described above is somewhat outdated\nand that they are working to update the System Life Cycle Management Manual to reflect a more\n\n                                                              8\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                            ACN 11-70010\n\n\nAperformance-based@ or Aoutcomes-oriented@ approach to system procurement. We support the use of\nperformance-based contracting that will define Awhat@ the system needs to do as opposed to Ahow@ it\nneeds to do it. However, functional requirements must still be defined in a manner that will adequately\ncommunicate the intended outcomes of the system. If not fully defined in the SOW, then the\nDepartment must ensure that functional requirements are clearly communicated and understood by the\nselected contractor after award, throughout the development of the system. The results of our audit\nwork indicate that requirements for the LOS/LCS were not adequately communicated under either\nmethodology.\n\nThe RFP stated that the software from the current system, operated by CDSI, would be provided to the\nsuccessful bidder, for conversion or for use in the development of new software. The RFP also\nindicated that a sufficient amount of technical documentation was available and would be provided\nfollowing contract award, to facilitate system development. Based upon the information provided in\nthe RFP, EDS proposed to >convert= the existing CDSI system to a new hardware and software\nenvironment.\n\nInterviews with Department staff indicate that some key Department officials were aware that the LOS\ndeveloped by CDSI interacted with and was dependent upon proprietary software used by CDSI to\nsupport their Direct Loan servicing and accounting (FARS) systems. Because the proprietary routines\nused by CDSI to process loan origination data were unavailable to EDS, EDS was unable to Aconvert@\nthe CDSI program into a fully functional system. Furthermore, the actual available specifications and\ndocumentation for the CDSI system proved to be inaccurate and outdated. [See Finding 2]\n\nLoan Consolidation\n\nIn addition to originating student loans, the RFP also required the successful bidder to develop an\nautomated system to support the business of consolidating student loans. The Loan Consolidation\nSystem would combine existing multiple student loans, held by an individual borrower, into a single loan\nfor repayment purposes. The functional requirements for loan consolidation were described at a very\nhigh level in the RFP. The CDSI loan consolidation application operated on a stand-alone, PC-based\nenvironment and required a significant amount of manual support. The business requirements for loan\nconsolidation were never fully documented by either CDSI or the Department. In addition,\nrequirements were continually changing. Therefore, the Department was unable to clearly define the\nrequired system functionality in the RFP.\n\nLack of Technical Expertise & User Involvement\n\nThe team assembled by the Department to define the required features of the Loan Origination\nSubsystem in the Statement of Work (SOW) for the RFP was comprised predominantly of Program\nSystems Service (PSS) personnel, primarily individuals new to the Department of Education who did\nnot have much Direct Loan Program knowledge. In addition, concerns were noted with regard to the\nlevel of technical expertise of the individuals involved. Specifically, one Department official stated that\nthe Department could not have effectively reviewed and commented on the EDS proposal because they\nwere unfamiliar with the proposed technology. A number of EDS officials noted that while the\nDepartment representatives had a strong business knowledge, they lacked systems/technical expertise.\n\n                                                     9\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                    Final Report                           ACN 11-70010\n\n\n\n\nRepresentatives from one of the key beneficiary/user offices of the Loan Origination and Loan\nConsolidation data- the Accounting and Financial Management Services (AFMS)- indicated they were\nnot adequately involved in the SOW development prior to its release, citing inadequate timeframes\nprovided for documentation review and the procurement team=s failure to address issues raised by\nAFMS in some key functional areas. Lack of adequate involvement by this office in drafting the SOW\nfailed to ensure that all procedures for interacting with Department systems were thoroughly addressed.\nAll of the potential users of the application should be involved in all facets of developing the systems=\nbusiness requirements before initiating system development efforts. Successfully capturing the business\nrules, at a detailed level, should be the responsibility of the organization most knowledgeable of the\nrules.\n\n\nRecommendations\n\nWe recommend that the Chief Operating Officer:\n\n1)        Establish procedures and controls to ensure the requirements definition process is a collaborative\n          process, with the appropriate functional offices having primary responsibility for defining and\n          approving the business/functional requirements;\n2)        Establish procedures and controls to ensure that PSS has primary responsibility for ensuring the\n          feasibility of the offeror=s proposed technical solutions, and that the proposals are aligned with\n          Department-wide systems architecture and information technology (IT) strategic plans; and\n3)        Engage industry consultants, when necessary, to assist in the above noted processes.\n\nDepartment\xe2\x80\x99s Reply\n\nThe Department did not agree with this finding, noting that a detailed redefinition of the functional\nrequirements was not required, as they were already more than adequately defined during their\ndevelopment at the original contractor, CDSI. It would be neither necessary nor cost efficient to go\nthrough a complete system development life cycle process each time a system is moved. However, the\nDepartment did acknowledge that documentation from CDSI regarding various data anomalies was not\nmade available, thereby leaving EDS with requirements for processing of which they were unaware.\n\nThe Department concurs with the recommendations and is in the process of implementing them. It was\nnoted that systems consultants have already been engaged during systems development, specifically\nduring the original Direct Loan program implementation.\n\nOIG Response\n\nWe have reviewed the Department\xe2\x80\x99s response and do not feel that the information provided warrants\nany revisions to our finding or recommendations, for the reasons noted in the finding as well as the\nfollowing. Functional requirements should be defined in sufficient detail to allow a conversion to\n\n                                                      10\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                            ACN 11-70010\n\n\nproceed efficiently. Based upon the information presented in the above finding and Finding #2, it is\nreasonable to conclude that the absence of detailed requirements compromised that efficiency. A\nfunctional reassessment would have been an appropriate step to take in order to mitigate the risk that\ninadequate system documentation on the part of the incumbent contractor would compromise a\nmigration to the new contractor. This is especially true when system specifications are in any way\nchanged during actual implementation.\n\nWhile we agree that it is neither cost efficient or necessary to go through a complete system\ndevelopment process each time a system is moved, we do not believe it is acceptable to bypass the need\nfor a comprehensive and systematic review of critical controls based on a significant change to the\noperating environment. A move of a complex system from one \xe2\x80\x9chost\xe2\x80\x9d to another would be expected\nto be accompanied by a fairly well-defined effort to identify potential problems.\n\nIn addition to the deficiencies contained in the documentation provided to EDS (as noted in Finding #2),\nYear 3 software requirements continued to be refined as were the requirements for consolidation. EDS\nwas also required to work with the Department to define requirements for the In-School Consolidation\nprocess, Origination levels 4 & 5 and interface with the Central Data System.\n\nOn March 13, 1996, a meeting was held between the Department and EDS concerning the on-going\nchanges to the requirements. The Department conceded that many of the requirements had yet to be\ndefined even though the system was scheduled for delivery in approximately 2 weeks. Therefore, we\nbelieve that system requirements were not adequately defined.\n\nAlso, the Department notes in response to one of the recommendations that outside consultants have\nbeen used on a previous procurement. While we are not in disagreement with this particular statement,\nno outside consultants were used on the EDS procurement. While some Department officials may have\nbelieved the Department employees assembled to write the SOW and evaluate offeror proposals had the\nappropriate knowledge and expertise to negate the need for outside consultants, the results of our\nanalysis as well as follow-up discussions with some of these officials indicate that this may not have been\nthe case. The Department must ensure that appropriate controls are in place at an organizational level\nso that outside consultants will be used whenever necessary on any system procurement. This issue is\ndiscussed in more detail in an OIG draft audit report recently issued on the Department\xe2\x80\x99s Acquisition\nProcess for OSFAP Information Systems, ACN 11-80004.\n\n\n\n\nFinding No. 2                  System Specifications and Documentation Provided to EDS Were\n                               Incomplete and Outdated\n\nOnce the decision was made to allow EDS to proceed with their proposed conversion of CDSI=s system,\nit was incumbent upon the Department to ensure that the CDSI system specifications and documentation\n\n                                                    11\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                 Final Report                          ACN 11-70010\n\n\ndelivered to EDS define the LOS at a level which ensured that all required functionality would be\nincluded in the >converted= application. However, the documentation for the original subsystems was\neither in excess of a year old, or did not exist. In many cases, the initial documentation had not been\nupdated to reflect enhancements made to the system. Upon receipt of the LOS documentation by the\nEDS technical team, concerns immediately surfaced regarding the quality and depth of the available\ninformation.\n\nThe dynamic nature of the Direct Loan Program during Years 1 & 2, required that CDSI focus on rapid\ndevelopment and modification to the system, rather than allocating sufficient effort to maintaining the\nsystem documentation. In addition, the Department staff assigned to review the system documentation\nappeared to review only for overall reasonableness- not at a detailed technical level. Subsequently, the\navailable documentation did not contain a sufficient level of detail on which to base a new development\neffort.\n\nYear 1 efforts to increase school participation in the program resulted in a focus on\naccommodating the processing needs of individual schools rather than ensuring continuity in\nhandling incoming data.\n\nOur audit disclosed that the Department and CDSI operated in a reactive, rather than a proactive mode,\nin defining and implementing the Loan Origination System for processing academic Years 1 and 2.\nFor Year 1, the CDSI Loan Origination System processed information for 103 schools. This limited\nlevel of participation allowed the Department to define the Direct Loan Program requirements and to\nfinalize the necessary functionality of the Loan Origination System as the program matured. This\nrestricted level of participation allowed CDSI to react quickly to technical issues encountered as data\nwas received from participating schools and to accommodate unique processing requirements for\nvarious schools.\n\nAlthough responsiveness was critical in terms of establishing school participation in the program, it\nresulted in a high level of exception processing by CDSI for individual schools. These exceptions\nresulted in an inefficient development effort and a heavy reliance on manual processes to meet program\nrequirements. The LOS production environment focused on the processing needs of individual schools\nrather than establishing policies and procedures that ensured continuity in handling data received from\nall of the participating schools.\n\n\n\n\nProprietary Software Used by CDSI was Unavailable to EDS\n\nAs noted previously, CDSI\xe2\x80\x99s LOS application was also interactive with, and dependent upon, proprietary\nsoftware used to support their Direct Loan servicing and accounting systems. Because the proprietary\nroutines used by CDSI to process loan origination data were unavailable to EDS, EDS was unable to\n>convert= the CDSI program into a fully functional Loan Origination System. When the government-\n\n                                                   12\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                     Final Report                            ACN 11-70010\n\n\nowned programs from the CDSI application were converted, recompiled, and executed by EDS, the\napplication processing failed. EDS was then required to develop new application modules and\nsubroutines to replace the proprietary functionality.\n\nThe lack of documented functional requirements, as well as EDS=s lack of loan processing industry\nknowledge, created a significant burden for EDS in verifying the application conversion as well as\ndeveloping the code required to support the functions which had been performed by the CDSI\nproprietary code. Additionally, the communication of business requirements was required to be\nprovided to EDS through PSS, rather than directly from the functional offices. This potentially\nincreases the risk of misinterpretation and confusion in defining the business rules. While it is\nrecognized that individuals without contracting authority may not direct the contractor, preventing\ndirect contractor access to designated key subject matter expert points of contact creates a significant\ndisservice to effective system development and implementation.\n\n\nRecommendations\n\nWe recommend that the Chief Operating Officer:\n\n1)        Improve procedures for evaluating contract deliverables, particularly in the area of system design\n          documents and specifications. The Department should ensure that documentation is prepared\n          at a sufficient level of detail and that all required functionality is documented prior to production\n          implementation, or at the very least prior to system transition. Final payment under the contract\n          should be withheld until satisfactory documentation is completed; and\n2)        Ensure that throughout the development process, the responsible program office provides\n          detailed program/functional information to new contractors. Development should not be\n          initiated without complete confidence that the contractor has a solid understanding of the\n          functional requirements necessary to meet the needs of the Department users.\n\nDepartment\xe2\x80\x99s Reply\n\nThe Department agreed that the former contractor\xe2\x80\x99s documentation was in some areas incomplete and\nout of date, but believes that EDS should have identified this limitation during its review of the\ndocumentation maintained in the RFP library. EDS should have posed many questions during the RFP\nprocess to clarify its understanding of system requirements.\n\n\nWhile there is concurrence with our recommendations, the Department believes that the responsible\nprogram office was already providing program/functional information to EDS throughout the\ndevelopment process.\n\nOIG Response\n\n\n                                                       13\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                          ACN 11-70010\n\n\nWe acknowledge that it was not unreasonable for the Department to expect EDS to have identified\nweaknesses in the documentation and pose questions during the RFP process. However, the\nDepartment still had primary responsibility for ensuring that weaknesses were identified and questions\nasked- especially in light of the fact that the Department admits its awareness that the documentation\nwas incomplete and out of date in some areas.\n\nIn a letter dated 9/15/95 to the Department, EDS notes the condition of the items provided by CDSI\nand the documentation missing, noting the overall impact this would have on systems development.\nSome of the missing and/or outdated items included lack of functional requirements for reconciliation\nand consolidation; lack of a data dictionary for reconciliation; no proprietary modules for Origination,\nConsolidation and Reconciliation; and no updates to Loan Origination and Consolidation documents\nfor at least 9 months. In a subsequent analysis performed by the Department\xe2\x80\x99s Contract Specialist on\nthe status of system documentation provided by CDSI, the overall conclusion was that CDSI\xe2\x80\x99s\ndocumentation for the system was substandard and in no facet did it meet the requirements set forth in\nthe SOW or the contractor\xe2\x80\x99s proposal.\n\nThe Department is the system owner and in the end is ultimately responsible for ensuring the adequacy\nof its contractors\xe2\x80\x99 performance. In this regard, the Department has the responsibility to provide the\ncontractor any and all relevant information in its possession or under its control that is needed to\nproperly develop the system. Our interviews with Department management and program officials\nsuggest that this did not happen for this procurement, nor has the Department indicated in its response\nthat a process is in place to ensure this happens in all future procurements. Therefore, our finding and\ncorresponding recommendations will remain unchanged.\n\n\n\nFinding No. 3                  Test Scenarios and Test Cases Did Not Ensure That the Loan\n                               Origination and Loan Consolidation Systems Met the Required\n                               Functionality\n\nThe test scenarios, comprised of a series of test cases and the associated expected results, did not\nprovide adequate assurance that processing requirements of the LOS and LCS data would be met. As\nstated in the Department=s System Life Cycle Management Manual, preliminary test plans are to be\ndeveloped during the requirements definition phase. These plans are to include test scenarios the testing\nwill use to confirm that the system meets the defined requirements. Failure to properly and sufficiently\nprepare test cases can contribute to post-production system problems.\n\nPer interviews with EDS, IQCU and Department staff, test documents were developed by the EDS test\nteam based on limited knowledge of the Loan Origination and Loan Consolidation business\nrequirements, and reviewed by Department representatives. For the January 1996 Systems Integration\nTesting performed by EDS, no scenarios or test cases were created by either EDS or the Department.\nEDS was not prepared for this phase of testing. For subsequent Loan Origination and Loan\nConsolidation Systems test phases, IQCU and EDS staff noted that test scenarios and test cases were\npoorly defined, due to the absence of functional detail contained in the Requirements Traceability Matrix\n\n                                                    14\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                   Final Report                          ACN 11-70010\n\n\n(RTM). Required functions were not specifically identified and related to an individual test case for\nvalidation. The condition of the RTM forced the test teams to rely on verbal communication with the\nsystem engineers for clarification of the functional requirements and expected results used to create the\ntest cases.\n\nIn addition, the data that was converted from the CDSI system was not adequately tested. EDS\nappeared to have focused on meeting testing milestones rather than the testing of the accuracy of the\nconverted data. Furthermore, one EDS representative noted that the conversion program was run only\nto determine whether it would complete without error, and that no one from the Department reviewed\nthe converted data for accuracy. It was also noted that the scope and definition of conversion testing\nrequirements were not well defined in either the RFP or the EDS proposal. Failure to adequately test\nthe data conversion effort subsequently resulted in processing errors when the LOS was placed into\nproduction.\n\nBased upon limited observation and discussions with key EDS and Department officials, recent testing\nefforts appear to have improved. Year 5 testing of the LOS & LCS was noted as being much more\nformal- including more organization through the use of an automated database tool for tracking and\nmonitoring test results, the consistent presentation of test results, and requirements in the RTM are now\nbeing mapped to specific test cases.\n\n\n\nRecommendations\n\nWe recommend that the Chief Operating Officer:\n\n1)        Ensure that test cases are prepared by individuals with strong knowledge of the business\n          functions the application is intended to support. If the contractor is Anew@ to the business,\n          require the use of a consultant/subcontractor who is knowledgeable of the business or ensure\n          that all test cases are reviewed by knowledgeable Department personnel;\n\n2)        Ensure there is a process in place that ties test cases to system requirements; and\n\n3)        Ensure conversion testing includes validation of data accuracy.\n\n\n\nDepartment\xe2\x80\x99s Reply\n\nThe Department agreed that the initial testing effort was seriously flawed, but believes that the\nsubsequent testing efforts for the September 1996 LC system implementations and the March 1997 LO\nsystem were properly performed. The Department believes that the subsequent LO and LC testing\nprovided assurance that the processing requirements, as defined, were successfully met. In mid-1996,\nEDS began adding personnel who possessed significant education lending industry experience that were\nassigned to the requirements, development and testing groups.\n\n                                                     15\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                            ACN 11-70010\n\n\n\n\nThe Department also notes that while there were significant problems with the data converted from the\noriginal loan origination database, there were significant conversion activities that were successful. Most\nof the data was converted successfully, evidenced by the fact that once production began, a majority of\nthe data processed correctly on a daily basis. Many of the processing problems that occurred following\nimplementation related to data anomalies inherited from the former contractor. Active intervention by\nthe Department and EDS identified the cause(s) of problems when they occurred. Subsequent changes\nmade to vendor and school-based software allowed data related problems to be reduced to a very small\npercentage of the data transmitted daily.\n\nThe Department agrees with our recommendations, noting that two of them, pertaining to the\npreparation of test cases by individuals with strong knowledge of the business functions the application\nis intended to support and assurance that a process is in place to tie test cases to systems requirements,\nhave already been implemented.\n\nOIG Response\n\nWe acknowledge that improvements have been made in later testing efforts and had previously noted\nthem in our draft report. However, we have reviewed the Department\xe2\x80\x99s response and do not believe\nany revisions are necessary to our finding or recommendations. In addition to the information provided\nin the above finding, conversion of data was continuously noted as one of the biggest challenges in\nimplementing the LO system by both EDS and Department management and staff. The reconciliation\nmodule experienced difficulties for over 2 months after the system was implemented due to significant\ndata conversion problems.\n\nWhile the Department notes that two of our recommendations have already been implemented, we are\nconcerned that, with the exception of recommendation #3, the responses/actions are specific to this\nparticular contract/system. The Department must ensure that these recommendations are implemented\nat an organizational level, with appropriate management controls and policies and procedures in place\nto prevent the reoccurrence of these issues on future system development efforts.\n\n\n\n\nFinding No. 4                  Overall Documentation Supporting the Loan Origination and\n                               Loan Consolidation System Testing Was Poorly Maintained\n\nOur review of the supporting documentation for the testing of LOS and LCS for Years 2/3/4 disclosed\nthat the documentation was incomplete and did not provide sufficient support that all test procedures\nwere successfully completed. The overall quality of the supporting documentation for the SIT and SAT\ntesting of the Loan Origination and Loan Consolidation Systems was poor. The following table presents\nthe percentage of test cases for which documentation was missing, at each level of testing reviewed.\n\n                                                    16\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                          Final Report                        ACN 11-70010\n\n\n[\xe2\x80\x9cDashes\xe2\x80\x9d (---) indicate that 100% of the documentation was available- nothing was missing.]\n\n\n                                    LO SIT          LO SIT             LO SAT     LC SIT          LC First\n                                    Yrs 2/3         Yrs 2/3/4                                    Live Batch\n\n missing test                             27%            13%                ---       15%                  37%\n scenarios\n\n missing support for                          ---         8%               33%        32%                  55%\n test results\n\n missing evidence                         35%            14%                7%             ---              ---\n of resolution for\n noted testing\n errors\n\n missing sign-off                             ---        15%                ---            ---              ---\n sheets\n\n missing signatures                    ED-9%               ---              ---     ED-39%                  ---\n on sign-off sheets                  EDS-11%                                       EDS-65%\n                                    IQCU-19%                                      IQCU-38%\n\nPer interviews with IQCU, EDS and Department representatives, it appears that no formal written\npolicies and procedures for reviewing the results of individual test cases were established prior to\ninitiating, or during, testing of the LOS and LCS. No central point of control was established for\nensuring that the test case folders contained the required documentation, approval signatures, and\nsupport for error resolutions prior to retiring the test case. This condition resulted in a failure to\nconsistently document issues and resolutions for future reference by EDS or the Department,\neliminating the ability to identify recurring errors.\n\n\n\n\nThe deficiencies noted above also impacted the effectiveness of an EDS developed Central Tracking\nSystem (CTS) database. Errors identified during LOS and LCS testing were documented by EDS\non a Central Tracking System (CTS) sheet and assigned a unique tracking number. The information\nfrom the CTS sheet was entered into the CTS database for tracking purposes. Although the CTS is\nno longer used by EDS, we were provided an electronic copy of the retired CTS application and its\nassociated database to analyze during our audit. Our evaluation of the CTS database identified\nerrors and issues which remained unresolved at the conclusion of the LOS and LCS testing. There\nwas no evidence that unresolved CTS records were migrated to the Direct Loan System\nModification Request (DMR) database at the time the Central Tracking System was retired.\nAdditionally, the CTS database contained a high percentage of records with a status of closed.\n\n\n                                                            17\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                   Final Report                          ACN 11-70010\n\n\nHowever, these closed records did not contain a description of how the error was resolved or\nidentify the individual responsible for approving the resolution.\n\nAs previously noted, based upon limited observation and discussions with key EDS and Department\nofficials, recent testing efforts appear to have improved. Year 5 testing of the LOS & LCS was\nnoted as being much more formal- including more organization through the use of an automated\ndatabase tool for tracking and monitoring test results, the consistent presentation of test cases, and\nrequirements in the RTM are now being mapped to specific test cases.\n\n\n\nRecommendations\n\nWe recommend that the Chief Operating Officer:\n\n1)        Establish testing guidelines to be used for all Department systems;\n2)        Implement controls to ensure that once agreed upon, test procedures are strictly adhered to by\n          contractor and Department staff;\n3)        Monitor the status of each test case and any errors identified during testing; and\n4)        Establish controls which require the contractor to record error resolutions in an automated\n          tracking system to be used as a reference tool.\n\nDepartment\xe2\x80\x99s Reply\n\nThe Department believes the supporting documentation used to manage and report the acceptance\ntesting process for Years 2, 3 and 4 testing was adequate. The Department\xe2\x80\x99s opinion is that the\nOIG did not expend sufficient audit resources to obtain the testing documentation reported as\nmissing. Included with the response are the results of the Department\xe2\x80\x99s own review of the testing\ndocumentation in comparison with the testing documentation reported missing by the OIG, noting\nthat in most instances the number of documents identified by the OIG as missing was either inflated\nor erroneous.\n\n\nThe Department concurred with all of our recommendations and noted that they are in the process\nof being implemented.\n\nOIG Response\n\nWe strongly disagree with the Department\xe2\x80\x99s statement that we did not expend sufficient audit\nresources to obtain the testing documentation reported missing. We believe that we exercised due\nprofessional care in performing the documentation review and in evaluating and reporting the\nsubsequent results, as follows. All testing documentation was initially requested from the\nappropriate Department management official, who referred us to EDS\xe2\x80\x99s Ballston, VA facility, where\n\n                                                     18\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                 Final Report                          ACN 11-70010\n\n\nthe documentation was kept. Upon starting fieldwork at the Ballston facility in September 1997, we\nwere assigned an EDS contact person and Departmental contact person for needed\ndocumentation/information, who were both provided with a copy of our documentation request.\n\nTesting documentation was subsequently obtained in November 1997 from EDS\xe2\x80\x99s testing manager\nfor the Loan Origination/Loan Consolidation system. After our review of 100% of the\ndocumentation provided, it was apparent that the documentation provided was incomplete. We\nconveyed this information to the testing manager and subsequently to the EDS Project Manager in a\nmeeting in January 1998. We also spoke to the Department\xe2\x80\x99s on-site monitor, our Departmental\ncontact, in January 1998, about the testing documentation.\n\nBetween January and March 1998, we asked several interviewees from ED, EDS and the IQCU\nabout the testing process and how testing documentation was organized. It was consistently stated\nthat test data was kept organized in folders, which included not only test case scenarios but also\nadditional documentation such as the resulting outputs and tracking sheets that would show the\nstatus of any open testing issues. It was also noted that all test teams worked from a single sign-off\nsheet and that these were placed in the test folder.\n\nUpon completion of our site work at EDS\xe2\x80\x99s Ballston facility and subsequent completion of our\npreliminary analysis of our results, we conducted a pre-exit conference meeting with Department\nofficials, where we presented the preliminary results of our review, providing another opportunity\nfor information to be presented that would lead us to believe that our facts were misrepresentative\nbefore placing them into a draft report. While there was some initial surprise over the missing\ndocumentation, it was only requested that we include the percentages of missing information in our\nreport, as there was thought that the initial testing effort would probably prove to be more\nproblematic than subsequent efforts.\n\nIn addition, it appears that the Department has mistaken some of the information presented in our\nreport. The \xe2\x80\x9cdashes\xe2\x80\x9d used in the table noting the percentages of documentation missing were meant\nto indicate that 100% of the documentation was found- none was missing. It appears it was misread\nas meaning none or 0% of the documentation was found. This misunderstanding significantly\nimpacts the results of the Department\xe2\x80\x99s analysis. Additional comments from the Department\xe2\x80\x99s\nanalysis do not materially affect the outcome of this finding. In several places it is cited that\ndocumentation was available elsewhere and it is noted that it may be difficult to locate without\nassistance as it was not kept in the test folders. We made repeated requests for the documentation\nwe were missing, as noted previously. Not once did anyone allude to the missing documentation\nbeing anywhere else other than the test folders maintained by the testing manager. In addition, the\nmajority of the documentation was kept in the test folders in these instances. It seems unreasonable\nto believe that a small percentage would have been kept separately.\n\nWe performed some additional follow-up work with regard to the Department\xe2\x80\x99s analysis and spoke\nwith the testing manager from EDS who actually prepared the analysis. Our conversations with her\nrevealed that there was no review performed that adequately identified the specific documentation\nwe reported as missing. In some instances, percentages of the various types of information that was\n\n\n                                                   19\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                   Final Report                             ACN 11-70010\n\n\nmissing, per our review, were compared with what was found after reviewing the test files on hand.\n[i.e.- For test scenarios, if the files on hand showed that each file had a test scenario in it, this was\nconsidered to mean that 100% of the documentation was available. There was no confirmation that\nall test files were accounted for or if test scenarios were in fact the correct test scenario for that file.]\n In some cases, random samples were taken, as the testing manager noted that it was not possible for\na 100% review to be performed on what we reported as missing. In support of some of the missing\ndocumentation, copies of summary test reports were referred to with the conclusion that the\nDepartment and IQCU signed-off on them, indicating that all errors must therefore have been\ncorrected. EDS has noted in a written response to the Department provided along with their\nanalysis that supporting documentation for pre-implementation testing of the LOS and LCS was not\nfully in order, but that measures have since been taken for post-implementation testing efforts to\ninsure that test documentation is preserved long term.\n\nWe were also informed that no Department representatives reviewed the analysis prepared by EDS\nfor adequacy or accuracy, and that all hardcopy documentation from the test phases we reviewed\nhad been boxed up and archived in a storage warehouse back in December 1998.\n\nWhile the Department concurs with our recommendations, we remain concerned once again that some\nof the responses/actions are specific to this particular contract/system. The Department must ensure\nthat these recommendations are implemented at an organizational level, with appropriate management\ncontrols and policies and procedures in place to prevent the reoccurrence of this issue on future system\ndevelopment efforts.\n\nOur finding will remain as stated, however we have modified the title to present the issue more\nclearly. We have also added an explanation to the table with regard to what the \xe2\x80\x9cdashes\xe2\x80\x9d represent.\n\n\n\n\nFinding No. 5                  System Generated Management Information Reports Were\n                               Not Reviewed or Tested\n\nDuring our review, we identified no test cases for validating management reports generated by the\nLOS and LCS. The RFP issued by the Department required EDS to test the adequacy and accuracy\nof the production and format of system outputs, including reports, during Systems Integration\nTesting. Testing was defined to include the presentation of data, accuracy of the data, and\ncompleteness of the data reflected on the reports. EDS, in its proposal, stated that it would be able\nto provide all management reports currently available to the Department. However, EDS did not\n\n\n                                                     20\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                    Final Report                           ACN 11-70010\n\n\nappear to have tested the reports and was unable to provide management reports after the LOS was\nplaced into production.\n\nOur audit disclosed examples of application generated management reports included in some of the\ntest case folders. These reports were determined by the OIG auditors to be incomplete, inaccurate,\nand unusable by the Department in managing the Direct Loan Program. The reports contained errors\nranging from incorrect totals to reflecting records dated outside of the user specified date\nparameters. Errors contained in the reports were not documented or noted in any of the test case\nfolders by the test team. The test team appeared to have focused not on the quality or accuracy of\nthe reports, but on whether the print routine completed without error.\n\nIncomplete testing of the management reports subsequently limited the usefulness of the application\nto its intended users. Limited management reports were available to the program offices when the\napplication was placed into production, and the reports that were available were of questionable\nintegrity. The lack of useful management reports hindered the Department=s ability to monitor the\nDirect Loan program.\n\n\n\nRecommendations\n\nWe recommend that the Chief Operating Officer:\n\n1)        Develop test cases that include validating application generated reports based on test data during\n          SIT;\n\n\n2)        Ensure that SAT includes the generation, validation, and acceptance of management reports by\n          the intended users of the reports prior to system implementation; and\n\n3)        Ensure reports are produced during testing with production volumes of data.\n\n\n\nDepartment\xe2\x80\x99s Reply\n\nThe Department concurs with the finding, noting that during implementation MIS report testing was\nminimal and no contract deliverables were required. The Department also noted concurrence with the\naccompanying recommendations, stating that they have already been implemented or are in the process\nof being implemented.\n\nOIG Response\n\nWhile we appreciate the Department\xe2\x80\x99s quick action on several of these recommendations, we remain\n\n\n                                                      21\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                          ACN 11-70010\n\n\nconcerned once again that the responses/actions are specific to this particular contract/system. The\nDepartment must ensure that these recommendations are implemented at an organizational level, with\nappropriate management controls and policies and procedures in place to prevent the reoccurrence of\nthis issue on future system development efforts.\n\n\n\nFinding No. 6                  Loan Origination System Interfaces Were Not Adequately\n                               Tested Prior to System Implementation\n\nOur review disclosed weaknesses in testing the required interfaces to the Loan Origination System.\nThe LOS electronically exchanges data with several Department of Education systems. For example,\nfinancial accounting transaction data is transmitted to, and received from, the Central Data System on\na daily basis. The interface with the Title IV WAN allows the LOS to retrieve from, and send\ninformation to, participating schools. The ability to interface with these systems was critical to the\nsuccessful testing and implementation of the LOS. However, these interfaces were not sufficiently\ntested before implementing the LOS.\n\nThe EDS proposal states that AEDS will establish external interfaces and test them early in the\nconversion process to ensure that they support LOS testing.@ The proposal also identifies parallel\ntesting as a major activity in the Department\xe2\x80\x99s System Life Cycle Management Manual and called for\na System Certification Review to ensure that the system was ready for production release. When EDS\nrequested authorization to perform parallel processing as called for in the proposal, the Department did\nnot authorize this phase of testing. Department representatives we interviewed stated that the volume\nof production data received from the schools, in conjunction with differences in processing environments\nbetween CDSI and EDS was prohibitive to parallel testing. Other factors noted for eliminating this test\nphase included pressure to implement the EDS systems and funding limitations.\n\n\n\n\nEDS was able to complete limited stress testing at the conclusion of System Acceptance Testing. Stress\ntesting was based on EDS created data. However, when production processing was initiated, it became\nevident the test data was not representative of the production environment, due to the fact that, a\nsignificant number of data errors occurred during production when EDS processed incoming files from\nthe schools, particularly with schools operating on mainframe platforms. Inadequate testing also\ncontributed to jeopardizing the participating schools= satisfaction with the new Loan Origination System.\n\n\n\nRecommendations\n\n\n                                                    22\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                    Final Report                          ACN 11-70010\n\n\nWe recommend that the Chief Operating Officer:\n\n1)        Process production volumes of data through all applications prior to implementation of the\n          system in the production environment;\n\n2)        Establish guidelines for certifying applications to exchange data;\n\n3)        Create a data dictionary for the Office of Student Financial Assistance Programs which identifies\n          standard data formats and validation criteria for all Student Financial Aid (SFA) systems.\n\nDepartment\xe2\x80\x99s Reply\n\nThe Department noted that the LOS was subjected to two interface test periods with EDExpress (the\nDepartrment\xe2\x80\x99s school-based software), Title IV Wide Area Network, the Central Database and Payment\nManagement System. LCS compatibility was tested with the Central Database, Compass Bank and the\nprint center. Earlier testing insured that the communication protocols were fully functional between\nEDS and its trading partners. Later efforts, subsequent to systems acceptance testing enabled them to\nidentify differences in key data fields.\n\nThe Department concurs with all of our recommendations and notes they are in the process of being\nimplemented.\n\nOIG Response\n\nWe agree that there was some interface testing performed. However, as the finding notes, key tests\nwere either insufficient or not performed at all, as detailed in the finding. One key Department\nmanagement official noted that this was a lesson learned and that parallel processing and stress testing\nwould now be included in all test schedules. Our finding will therefore remain as originally presented.\n\n\n\n\n                                                                                        Appendix 1\n\n                                             ACRONYMS\n\n\n CDS                   Central Database System\n\n CDSI                  Computer Data Systems, Incorporated\n\n CTS                   Central Tracking System\n\n DMR                   Direct Loan System Modification Request\n                                                      23\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                     Final Report         ACN 11-70010\n\n\n\n\n EDS                   Electronic Data Systems\n\n IQCU                  Independent Quality Control Unit\n\n LCS                   Loan Consolidation System\n\n LCSAT                 Loan Consolidation Systems Acceptance Testing\n\n LCSIT                 Loan Consolidation Systems Integration Testing\n\n LOS                   Loan Origination System\n\n LOSAT                 Loan Origination Systems Acceptance Testing\n\n LOSIT                 Loan Origination Systems Integration Testing\n\n PSS                   Program Systems Service\n\n RFP                   Request For Proposal\n\n RTM                   Requirements Traceability Matrix\n\n SAT                   Systems Acceptance Test\n\n SIT                   Systems Integration Test\n\n SOW                   Statement of Work\n\n\n\n\n                                                       24\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              25\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              26\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              27\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              28\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              29\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              30\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              31\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              32\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              33\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              34\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes            Final Report   ACN 11-70010\n\n\n\n\n                                              35\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                 Final Report                         ACN 11-70010\n\n\n\n\n                                                                             Appendix 3\n\n\nOIG Response To Department Cover Letter Comments\n\nThe following addresses comments provided by the Department in the cover letter that accompanied\ntheir response to the report findings and recommendations. These comments were unable to be\nincorporated into and addressed elsewhere in our report.\n\n\xc3\x98 The Department expressed concern over the belief that some of the conclusions included in our\n  report were reached based on anecdotal material and should not be included in the final\n  report- specifically, much of the underlying information and analysis work supporting the\n  conclusions that system requirements were inadequately defined and there was not sufficient\n  user involvement. The Department believes that interviews upon which the conclusions were\n  based took place some three or four years after the events occurred and that not all pertinent\n  Department staff were included in the audit interview process. In addition, the Department\n  does not believe we followed audit standards that cite, where audit evidence obtained in the\n  form of oral representations is critical to an audit conclusion, the auditor should obtain\n  documentary confirmation, either on paper or through other media.\n\n      The standards quoted in the Department\xe2\x80\x99s response indicate that \xe2\x80\x9cthe IS auditor should\n      consider obtaining documentary confirmation of the representations\xe2\x80\x9d made orally. It is,\n      however, up to the auditor to determine whether the evidence provided satisfies the criteria of\n      \xe2\x80\x9crelevance, reliability, sufficiency and usefulness.\xe2\x80\x9d Documentary support is considered more\n      reliable than oral evidence alone, but in the absence of documentation, supportable conclusions\n      may be based on the oral evidence provided. If the auditor received the same or similar\n      representations of events from multiple interviewees, these may be considered reliable to\n      support an audit conclusion, in the absence of documentary evidence. We strongly believe that\n      the conclusions presented are well supported through both oral and documentary evidence that\n      is relevant, reliable and sufficient, as noted below.\n\n      With regard to system requirements definition, evidence supporting our conclusions consisted of\n      information provided through interviews with the COTR for the LOS contract, two of the\n      applicable division directors within PSS, as well as documents prepared by the contracting\n      office. Evidence was also provided through our review of the SOW and EDS\xe2\x80\x99s proposal, as\n      well as the Department\xe2\x80\x99s own evaluation report prepared under contract entitled \xe2\x80\x9cDirect Loan\n      Evaluation Assessment of Department of Education Administration: Academic Year 1995-96 &\n      1996-97\xe2\x80\x9d, issued in final in 1998 through the Office of the Undersecretary.\n\n      With regard to lack of user involvement, evidence was obtained through interviews with\n      Program (User) office heads, the LOS COTR, a PSS division director and, again, reported in\n      the Department\xe2\x80\x99s own evaluation report prepared under contract entitled \xe2\x80\x9cDirect Loan\n      Evaluation Assessment of Department of Education Administration: Academic Year 1995-96 &\n      1996-97\xe2\x80\x9d, issued in final in 1998 through the Office of the Undersecretary.\n\n                                                   36\n\x0cReview of the Department=s Requirements\nDefinition & Testing Processes                  Final Report                          ACN 11-70010\n\n\n      In addition, there is no need for \xe2\x80\x9call pertinent staff\xe2\x80\x9d to have been interviewed, any more than for\n      documentary evidence to be considered a precondition for drawing a conclusion. If it were that\n      simple, auditees could avoid audit findings by simply not keeping records, and ensuring that\n      staff were not available for interviewing. We performed a total of 18 interviews with key ED\n      employees. Interviewees were identified though a review of contract and testing\n      documentation, as well as referrals made during interviews. All applicable PSS Division\n      Directors were interviewed, applicable Program Office heads, the LOS Contracting Officer\xe2\x80\x99s\n      Technical Representative, Department on-site monitors, testing participants/leads, as well as one\n      of the key writers of the SOW and chairperson of the evaluation panel. To ensure that all\n      pertinent staff were interviewed, we even interviewed a key individual that was no longer\n      employed by the Department but had a key role in the system development and proposal\n      evaluation. We requested a listing of pertinent staff that the Department felt we had \xe2\x80\x9cmissed\xe2\x80\x9d.\n      As of the issuance of this report, we had only been provided with the name of one individual\n      who would not have materially impacted the results of this audit.\n\n\n\n\n                                                    37\n\x0c"